Eclipse CogniCrypt

Eclipse CogniCrypt is an intelligent open-source platform ensuring the secure usage of crypto components.

CogniCrypt - Secure Integration of Cryptographic Software

A large number of recent studies have shown that most software applications that use cryptographic procedures misuse them. The VeraCode Report State of the Software Security 2017 lists the insecure use of cryptography as the second most common cause of software vulnerabilities, right after data leakage.

Eclipse CogniCrypt was developed within the collaborative research center CROSSING of Technische Universität Darmstadt. It allows developers to quickly identify and fix security-critical misuses of cryptographic libraries.

The plugin Eclipse CogniCrypt ships in two main components: A wizard for code generation that supports a developer in generating secure code for common cryptographic tasks and a static code analysis that continuously checks the (generated and non-generated) code of the developer directly within Eclipse.

Overview over CogniCrypt


Code Generation

The code-generation feature CogniCryptGEN is designed as a wizard that guides developers to select the correct cryptographic algorithms for their cryptographic use case at hand. The wizard asks high-level questions related the use case in order to tailor the solution to the user’s needs. The user documentation discusses the wizard in more detail.

Static Code Analysis

The static code analysis CogniCryptSAST continuously checks the developer’s code for correct implementations. Upon saving the code in the editor, a static analysis is triggered in the background and reports warning when a cryptographic API is used incorrectly.

The video below shows a minimal example demonstrating the static code analysis within Eclipse.

In the example, the developer creates a Cipher object and supplies the String "AES" as argument to configure using the encryption algorithm AES. They save their code and are warned instantaneously by CogniCrypt. By default, the algorithm AES encrypts with the insecure block mode ECB. The developer changes the Cipher object to be configured in a secure way (using the String "AES/CBC/PKCS5Padding" which requests from the provider a secure block mode "CBC" and a correct padding mode; assuming padding oracle attacks are prevented, e.g. by adidtional integrity checks). CogniCrypt’s error message disappears. For a more in-depth explanation, please check out the user documentation.

Main Contributors

CogniCrypt originated in TU Darmstadt's Collaborative Research Center CROSSING but by now its development is managed in an international collaboration between several research institutes. Join Us!


Generous financial support is provided by: